[ogsa-authn-bof] Topical OGF Levels of Assurance (LoAs) BoF and activity initiative

[David Groep]

Dear all,

The OGF Security Area would like to draw your attention to an initiative
addressing topics around the concept of Levels of Assurance. We know or
expect that at least quite a few of you are interested in this topic,
and thus are likely to either participate and have an opinion on this...

An initial description of the activity and possible directions are
described below. Please note that this will be a topical activity BoF, and is
not aimed to be a charter BoF or to necessarily create a new group. If there
is sufficient momentum to address this topic (also) in the OGF context, we
can subsequently discuss the organisational embedding in an existing or
new group.

So, if you are interested, please participate via the security area mailing
list or the gforge Wiki and forum, whose URLs are listed below.
A BoF session to discuss this activity will be organised during OGF19 (to
be held in North Carolina on January 29 - February 2, 2007). You are very
warmly invited to attend this event, which will be full of new activities in
the security area.


	Best regards,
	Blair Dillaway and David Groep,
	(OGF Security ADs)


Topical BoF on Levels of Assurance (LoAs)
-----------------------------------------
   Ideas around "Levels of Assurance" have been receiving more and more
   attention, with the advance of federations and Authentication and
   Authorization infrastructures.

   "LoA is defined as the strength of authentication required for a service
   provider to be assured that a resource access is only granted to users whose
   identities have been verified. It reflects the degree of confidence in an
   authentication process used to establish the identity of an entity (an
   individual or a software component) to whom the credential was issued, and
   the degree of confidence that the entity using the credential is indeed the
   entity that the credential was issued to."

   Ning Zhang of Manchester University has taken the initiative to bring up
   the discussion on this activity in the OGF context.

   Examples of questions that this activity could address are:
   - What are the existing definitions of LoA suited to Grid or VO environment?
   - How to apply LoA to safeguard Grid services/resources?
   - Are some onerous registration requirements or special condition stipulations
     due to perceived inadequacies in the strength of authentication?
   - Are there any limitations in terms of user accessibility, scalability
     and interoperability?

   The activity can include discussion on how operational procedures affect LoA,
   how the various parameters and factors influence the overall LoA value in
   grid/VO environments, and come up with recommendations on how these factors
   can be taken into account. The purpose here is to consult, and to seek
   comments and feedbacks from, the communities concerned (including service
   providers, from e-Science, e-Business and e-Gov) on their views on the
   definition and applications of LoA in achieving fine-grained access control.

   Everyone interested in such an activity is extremely welcome to attend this
   activity BoF session.
   If there is sufficient interest within OGF, the BoF can also discuss how the
   activity is best embedded in the OGF organisation; it is not necessarily the
   aim of this BoF to result in a new research or working group.

   More information:
   Security Area Wiki:
     https://forge.gridforum.org/sf/wiki/do/viewPage/projects.sec/wiki/LoAInitiative
   Document "e-Infrastructure Security: Levels of Assurance"
 
https://forge.gridforum.org/sf/sfmain/do/downloadAttachment/projects.sec/wiki/LoAInitiative?id=atch4300
   Discussion forum:
 
https://forge.gridforum.org/sf/discussion/do/listTopics/projects.sec/discussion.loa_activity_initiative


-- 
David Groep

** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **